Meta AI Support Exploit Allowed Hackers to Hijack Instagram Accounts

instagrammeta ai

A recently discovered security flaw in Instagram has highlighted a growing challenge for companies integrating AI into customer support workflows: ensuring that automated systems cannot be manipulated by attackers.

Several Instagram users reported over the weekend that their accounts had been taken over by unauthorized individuals. According to security researchers and affected users, the attackers appeared to exploit Meta’s AI-powered support assistant to gain control of accounts without accessing the legitimate owner’s email address.

Among the reported victims were high-profile accounts, including the Instagram profile associated with the Obama-era White House and the account of U.S. Space Force Chief Master Sergeant John Bentivegna. Security researcher Jane Wong also reported that her account was compromised, noting that her password was changed without her knowledge while multiple password reset attempts were being made.

How the Attack Worked

Videos shared online demonstrated a method that allegedly allowed attackers to convince Meta’s AI Support Assistant to add a new email address to an existing Instagram account.

The process reportedly involved:

  • Using a VPN to simulate the victim’s geographic location and avoid triggering security checks.
  • Initiating a conversation with Meta’s AI support chatbot.
  • Requesting that a new email address be added to the target account.
  • Receiving a verification code at the attacker’s email address.
  • Using the code to complete the email addition process.
  • Triggering a password reset and setting a new password.

What makes this incident particularly concerning is that attackers reportedly never needed access to the victim’s original email account, traditionally considered one of the key safeguards in account recovery workflows.

AI Automation Creates New Attack Surfaces

The incident serves as another reminder that AI systems can become part of the attack surface when they are granted access to sensitive workflows such as authentication, account recovery, or identity verification.

Traditional cybersecurity controls are often designed around human-operated processes, where support agents can identify unusual requests or suspicious behavior. AI-powered systems, however, depend entirely on the rules, permissions, and validation mechanisms built into them.

When those controls are incomplete or improperly configured, attackers may discover ways to manipulate the system into performing actions it was never intended to authorize.

The Growing Importance of AI Governance

As organizations increasingly deploy AI-driven assistants across customer service, internal operations, and business processes, security teams face a new challenge: governing what AI systems are allowed to do and verifying that every automated action includes appropriate safeguards.

The Instagram incident illustrates why AI implementation requires more than simply connecting a model to existing workflows. Every automation point must be designed with security, auditability, and abuse prevention in mind.

For businesses adopting AI-powered support tools, key considerations include:

  • Strict identity verification before account changes.
  • Human approval for sensitive actions.
  • Detailed audit logs for AI-generated decisions.
  • Continuous security testing and red-team exercises.
  • Clear limitations on what AI agents can modify autonomously.

A Quick Response, but an Important Warning

Instagram has since confirmed that the vulnerability has been fixed. The company has not disclosed how many accounts may have been affected, but the incident underscores a broader reality facing the technology industry.

As AI becomes more deeply embedded into operational systems, organizations must evaluate AI not only as a productivity tool, but also as a potential security risk. The most effective AI deployments will be those that balance automation with robust governance, oversight, and security controls from the very beginning.

Source

Control F5 Team
Blog Editor
Relational Services
Web Applications
Dev Ops
Mobile Applications
MVP Development
Software Testing
UI / UX Design
OUR WORK
Case studies

We have helped 20+ companies in industries like Finance, Transportation, Health, Tourism, Events, Education, Sports.

 
AI Powered News Portal and Aggregation App
Web & Mobile Application Journalism
AI Powered News Portal and Aggregation App
Case Study
Data Computing Visualization Platform for Ernst & Young
Web Platform Financial
Data Computing Visualization Platform for Ernst & Young
Case Study
Suite of Applications for Fintech Trading Company
Suite of Applications Financial
Suite of Applications for Fintech Trading Company
Case Study
Reservation Platform For Travel Agency
Web Platform Travel
Reservation Platform For Travel Agency
Case Study
Online Road Tax Payment Platform
Web & Mobile Application Transportation
Online Road Tax Payment Platform
Case Study
Team Augmentation and Consultancy for A SaaS Company
Team Augmentation Hospitality
Team Augmentation and Consultancy for A SaaS Company
Case Study
Wedding Photographers And Videographers Marketplace
Marketplace Events
Wedding Photographers And Videographers Marketplace
Case Study
Portal & Online Magazine for Brides
Online Magazine Events
Portal & Online Magazine for Brides
Case Study
Custom eCommerce Solution for Cosmetics Company
Online Shop eCommerce
Custom eCommerce Solution for Cosmetics Company
Case Study
Web Application for Comparing Tariff Plans and Phone Offers
Web Application Telecom
Web Application for Comparing Tariff Plans and Phone Offers
Case Study
Dental Clinics Marketplace
Marketplace Health
Dental Clinics Marketplace
Case Study
Micro-services Solution for Hotel Reservation Agency for Realtime Pricing Update
Backend System Travel
Micro-services Solution for Hotel Reservation Agency for Realtime Pricing Update
Case Study
 
View all case studies
READY TO DO THIS
Let’s build something together
Contact us